Kassem Bazzoun

Published On: 29 Jan 2024

$5,000

Bypass email confirmation on Instagram and Facebook

IDOR
Instagram | Android
---
MEDIUM VALID
Description

When registering for any Meta product, we are required to confirm the contact point (email or phone) used during registration. If it's not confirmed, the 'Account Center' will indicate that this contact point is 'Pending Confirmation'.

Show Image

Impact

This issue allows the confirmation of any non-registered email that you don't own, bypassing the confirmation process.




Reproduction Steps

Step
1

Register any account on Instagram and confirm it using your EMAIL 

This step is important, you should confirm your instagram for the first time with an email you own

Step
2

Log in to your account using the Instagram Android mobile app

Step
3

Go to your Instagram Profile-> Edit your Profile

Step
4

Intercept request and click "✓" (Icon on the top right )

Note: In newer versions, the 'Edit Profile' behavior may change, and you might not find this request. In such cases, you can directly use the request outlined in step 5, including the required parameters

Step
5

Manipulate the 'email' parameter to any non-registered email you don't own (a non-registered email is one not linked/registered on Instagram).

Note: The email won't change if the 'username' parameter isn't included, so ensure you correctly input the 'username' parameter. you can remove other params like device_id, _uid, and uid

 

POST /api/v1/accounts/edit_profile/ HTTP/2
Host: i.instagram.com

signed_body=SIGNATURE.{"primary_profile_link_type":"0","phone_number":"+9617...","username":"kassembazzoun","hide_ig_app_switcher_badge":"false","show_fb_link_on_profile":"false","first_name":"","_uid":"your_uid","device_id":"your_device","biography":"","_uuid":"ur_uuid","email":"any_new_email"}

Step
6

Once you've sent the request, the email will be automatically confirmed. You can verify this by checking the Account Center under 'Personal Details' at https://accountscenter.instagram.com/personal_info/.

In 'Personal Details,' the email will appear as a confirmed contact point, with no 'Pending Confirmation' required.

 

I confirmed a test account with [email protected], or any other non-registered email. The attached image shows how the email is confirmed without requiring further confirmation

Show Image

Step
7

If you want to add this contact to your Facebook account, link your Facebook account to the Instagram Account Center using this new Instagram account. This will enable you to link the confirmed email to your Facebook account.

 

Show Image

Step
8

I successfully added and confirmed emails with the @meta.com domain (an invalid email address) for both my Instagram and Facebook accounts.

Show Image

Timeline
.
Kassem 17 Dec 2023

Report Sent

.
Facebook 04 Jan 2024

Further Information Needed

.
Kassem 04 Jan 2024

Information Sent I found that this bug will works only if we have the account with a confirmed email address

.
Facebook 05 Jan 2024

Triaged We are sending it to the appropriate product team for further investigation. We will keep you updated on our progress. In the meantime please ref ... See More

.
Facebook 10 Jan 2024

Bounty Awards After reviewing this issue, we have decided to award you a bounty of $5000. Meta fulfills its bounty awards through Bugcrowd and HackerOne.

.
Facebook 17 Jan 2024

Resolved

VALID






Show All Images